Kazakhstan, Singapore, Ukraine. More than 280 students, about 120 students, the rest of the password enthusiasts and professionals.

15 tasks were proposed to the participants. The mathematical task of the Olympic Games is to study the differential properties of s-block, the relationship between the simplest operations, and so on; Module 2K for generating cipher: cyclic shift and addition; construction of special linear subspace in f ^; result of Equation Solver (f) x) + F) + X + a = B for finding number F2n and APN functions. There are also game tasks, such as krypton task, decryption of secret messages, analysis of music code. [1, 2] detailed tasks and solutions are discussed in []. In this case, [2] includes not only an analysis of all tasks, but also comments on the decisions of participants, the organization of the Olympic Games and the list of winners.

Olympic winners are from Novosibirsk, Omsk, Moscow, St. Petersburg, Saratov, Minsk) and Lewin, Belgium: 15 in the first round and 11 in the second. The second round. The awarding ceremony for the winners was held at the National University of Novosibirsk in December.

Nsucrypto is planned as an annual event. Next time, it will be in November 2011. See you. www.nsucrypto.nsu.ru。 We invite everyone who is willing to join us! For example, attendees can choose the category of "amateur / professional".

Reference material

1. Agievich S.、Gorodilova A.、Kolomeec N.、Nikova S.、et al. Mathematical problems of the first international student's Olympiad in cryptography nsucrypto / / IV Symposium "contemporary encryption trends" ctcrypt 15, Kazan, June 3-5, 2015

2. Agievich S.、Gorodilova A.、Kolomeec N.、Nikova S.、et al. Problems, solutions and experience of the first international student's Olympiad in cryptography / / application discrete mathematics. 2015. (3) 29.

ODC 519.95 DOI 10.17223/222608X 8/28

Attacking a linear homomorphic cryptosystem 1

Ah. B. Trebacheva

In this paper, a linear homomorphic cryptosystem for a new attack strategy is described, Its security is based on a complex factorization problem. It provides theoretical and practical estimates of the possibility of opening a secret key in such an attack. This is a connection analysis issue to determine the security of digital and encryption systems and to prevent code attacks, It provides a more efficient password system modification.

Keywords: homomorphic encryption, numerical factorization, code attack.

introduction

With the expansion of cloud services, the problem is to build a completely homomorphic encryption system.)（

1 the work was supported by scholarship 15-07-00597-a.

It has become more important for encrypted data. The main focus of this field is to establish global warming potential according to lattice theory and "gentleman 1" method. However, the current calculation efficiency of this type of global warming potential is very low, which is not suitable for practical operation. Therefore, we are still looking for an alternative global warming potential. This alternative global warming potential does not use the "gentleman" method, but an effective and secret method. In particular, the global warming potential with the goal of digital materialization is being actively proposed. This paper analyzes one of the recently proposed types of global warming potentials. [original] Based on the determination of linear equations and not studied in the literature (Russian Chinese translation) The probability of success is estimated according to different parameters.

1. [2] All homomorphic encryption system and its basic characteristics

2. [attack code in GG] 2]

Suppose that the enemy intercepts the sequence and e ^ P2, g = 1.... note that encrypted Mi e g = 1 Type, key Obviously, the characteristic polynomial siagge) e 2p ^ of T ^ root is C ^ because P is difficult to factor, and it is difficult to find the root in general. According to this characteristic B] However, this actually works unless the probability distribution in the open text P = Zn space is close to the same. For example, if, for example, this is p {M / L} = 0, according to 3, ^ can be found in the county.

Consider another strategy of the Russian Federation Suggest the enemy to solve linear equations

((

For g = 1. ",,,,, 1“ Obviously, if there is a g, such as t.1 = T ^, the corresponding equations) 1) there is a decision G ^ c-1e1 e? P. We estimate the probability of at least one couple, so t.1 = t. This will require the next lemma.

Lemma 1. The probability of e-point appearing at least twice in a row ({T: k = 1,}) Where the probability distribution of generation of TZ e Zn is t,

1-pm w-1pm, where PM is based on the probability of occurrence of D.

D distribution here is considered to be all m ^ independent. [sighs]

N-1 \n-1

See the original PRT = 1-p) ((1-p TV. T) (a = 1-p)（（

A=0 A=0

In this case, a G Z n is based on the probability of D. other non-zero solutions, except V1, system（ TJ is uniformly distributed as Zn value. By selecting a P, you can think of PR ^ 0, so the probability of the described attack success is PRT.

For any d fair Lim PRT = 1. But the attack is impractical.

Can't you find what you want? Try a reference tool.

T-u^o

For any D because of large P = Zn. Its best work is the discrete Gaussian distribution d = DZN, Di, A2, where ^ mathematical expectation; 2-dispersion and A2 ^ P The table gives the PT values of different T in P 1C ^ P = 1024 and A2 ^ p; and provides the actual probability estimation, the possibility of PRT finding v1. Through the above strategies, Results obtained during the test. Each PRT was tested 104 times independently.

T Prt

500.88 0.85

7009550945

9009980.99

1201099999

3. The relationship between the difficulty of factorization of large numbers and the security of encryption system

However, in order to strictly associate encryption with the task of materialization, The opposite argument must be made. But it is not implemented, because if the known P, Q, it is incorrect to decrypt C. in fact, according to China's remaining char (x) theory, C has four roots, and choose From where

They are open text and will need D. on this basis, you can modify

I

[original: English] Let n be defined as n = P ^, where PK prime, pi = PJ Decision

K=l

Char equation) (x = 0 is not difficult now, because n can be factorized. However, the number of solutions is 2L. When you understand D, you have to select open text ^ 2L transactions in these solutions. If you put L = 120, then many will be huge, and attacking char) (x) will be impossible. Moreover, the computational complexity of this peak period is equivalent to the factorization complexity of 1024 bit RSA module), using the digital field array method, namely. E. The complexity of char (x) attacks is still the same. In this case, the size n can be reduced, and the appropriate way is chosen, PK, k = 1 love,..., l; therefore, global warming potential [2] becomes more effective.

conclusion

Attack according to the decision of linear equations [2] Its practicability depends on the distribution of D in the open text space. If D is very different from uniformity, such as d-gaussian distribution and a small variance, the attack is successful. In order to practice

Reference material

1. Gueller A.Can Homomophic Cryptography ensure Privacy？ PhD thesis，Inria；IRESA；Supelec Rennes，equipe Cidre；Universite de Rennes 1，2014.

2. Kipnis A.and Hibshoosh E.2001.Efficient methods for practical fully hommorphic symmetric-key encrypton，randomization and verification//IACR Cryptology ePrint Archive. 2012. Number 637th.

3. Vizar D.and Vaudenay S.2005.Analysis of chosen symmetric hommorphic schemes//Central European Crypto Conference，Budapest，Hungary，2014，EPFL-CONF-198992.